r62195 - in /branches/lenny/libwww-perl: bin/lwp-download debian/changelog
ansgar-guest at users.alioth.debian.org
ansgar-guest at users.alioth.debian.org
Sun Aug 29 16:41:07 UTC 2010
Author: ansgar-guest
Date: Sun Aug 29 16:40:53 2010
New Revision: 62195
URL: http://svn.debian.org/wsvn/pkg-perl/?sc=1&rev=62195
Log:
CVE-2010-2253: Apply upstream patch to lwp-download to reject downloads to
filenames suggested by the server that start with a . (dot) character.
commit id of upstream patch: f97f339f552666ef79cdd2cf2a44032cf206bb6e
Modified:
branches/lenny/libwww-perl/bin/lwp-download
branches/lenny/libwww-perl/debian/changelog
Modified: branches/lenny/libwww-perl/bin/lwp-download
URL: http://svn.debian.org/wsvn/pkg-perl/branches/lenny/libwww-perl/bin/lwp-download?rev=62195&op=diff
==============================================================================
--- branches/lenny/libwww-perl/bin/lwp-download (original)
+++ branches/lenny/libwww-perl/bin/lwp-download Sun Aug 29 16:40:53 2010
@@ -138,7 +138,9 @@
# validate that we don't have a harmful filename now. The server
# might try to trick us into doing something bad.
if (!length($file) ||
- $file =~ s/([^a-zA-Z0-9_\.\-\+\~])/sprintf "\\x%02x", ord($1)/ge)
+ $file =~ s/([^a-zA-Z0-9_\.\-\+\~])/sprintf "\\x%02x", ord($1)/ge ||
+ $file =~ /^\./
+ )
{
die "Will not save <$url> as \"$file\".\nPlease override file name on the command line.\n";
}
Modified: branches/lenny/libwww-perl/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-perl/branches/lenny/libwww-perl/debian/changelog?rev=62195&op=diff
==============================================================================
--- branches/lenny/libwww-perl/debian/changelog (original)
+++ branches/lenny/libwww-perl/debian/changelog Sun Aug 29 16:40:53 2010
@@ -1,3 +1,11 @@
+libwww-perl (5.813-1+lenny2) stable; urgency=low
+
+ * CVE-2010-2253: Apply upstream patch to lwp-download to reject downloads to
+ filenames suggested by the server that start with a . (dot) character.
+ commit id of upstream patch: f97f339f552666ef79cdd2cf2a44032cf206bb6e
+
+ -- Ansgar Burchardt <ansgar at 43-1.org> Mon, 30 Aug 2010 01:29:12 +0900
+
libwww-perl (5.813-1+lenny1) stable; urgency=low
* Fix incorrect use of redo. (Closes: #591462)
More information about the Pkg-perl-cvs-commits
mailing list